bug: compare VAPID aud to endpoint_url (#1435)

bug: compare VAPID aud to endpoint_url Closes #1434
mozilla-services · Oct 7, 2020 · 6a11078 · 6a11078
1 parent a73c95a
commit 6a11078
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 16 deletions.
diff --git a/autopush/tests/test_integration.py b/autopush/tests/test_integration.py
@@ -65,9 +65,9 @@ def setup_module():
         raise SkipTest("Skipping integration tests")
 
 
-def _get_vapid(key=None, payload=None):
+def _get_vapid(key=None, payload=None, endpoint="http://localhost"):
     if not payload:
-        payload = {"aud": "http://localhost",
+        payload = {"aud": endpoint,
                    "exp": int(time.time()) + 86400,
                    "sub": "mailto:admin@example.com"}
     if not key:
@@ -754,7 +754,7 @@ def test_topic_no_delivery_on_reconnect(self):
     def test_basic_delivery_with_vapid(self):
         data = str(uuid.uuid4())
         client = yield self.quick_register()
-        vapid_info = _get_vapid()
+        vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url)
         result = yield client.send_notification(data=data, vapid=vapid_info)
         clean_header = client._crypto_key.replace(
             '"', '').rstrip('=')
@@ -768,7 +768,7 @@ def test_basic_delivery_with_vapid(self):
     def test_basic_delivery_with_invalid_vapid(self):
         data = str(uuid.uuid4())
         client = yield self.quick_register()
-        vapid_info = _get_vapid()
+        vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url)
         vapid_info['crypto-key'] = "invalid"
         yield client.send_notification(
             data=data,
@@ -781,7 +781,7 @@ def test_basic_delivery_with_invalid_vapid_exp(self):
         data = str(uuid.uuid4())
         client = yield self.quick_register()
         vapid_info = _get_vapid(
-            payload={"aud": "http://localhost",
+            payload={"aud": self.ep.conf.endpoint_url,
                      "exp": '@',
                      "sub": "mailto:admin@example.com"})
         yield client.send_notification(
@@ -790,7 +790,7 @@ def test_basic_delivery_with_invalid_vapid_exp(self):
             status=401)
 
         vapid_info = _get_vapid(
-            payload={"aud": "http://localhost",
+            payload={"aud": self.ep.conf.endpoint_url,
                      "exp": ['@'],
                      "sub": "mailto:admin@example.com"})
         yield client.send_notification(
@@ -814,7 +814,7 @@ def test_basic_delivery_with_invalid_vapid_aud(self):
 
         # try a different scheme
         vapid_info = _get_vapid(
-            payload={"aud": "https://localhost",
+            payload={"aud": self.ep.conf.endpoint_url,
                      "sub": "mailto:admin@example.com"})
         yield client.send_notification(
             data=data,
@@ -826,7 +826,7 @@ def test_basic_delivery_with_invalid_vapid_aud(self):
     def test_basic_delivery_with_invalid_vapid_auth(self):
         data = str(uuid.uuid4())
         client = yield self.quick_register()
-        vapid_info = _get_vapid()
+        vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url)
         vapid_info['auth'] = ""
         yield client.send_notification(
             data=data,
@@ -839,7 +839,7 @@ def test_basic_delivery_with_invalid_signature(self):
         data = str(uuid.uuid4())
         client = yield self.quick_register()
         vapid_info = _get_vapid(
-            payload={"aud": "https://pusher_origin.example.com",
+            payload={"aud": self.ep.conf.endpoint_url,
                      "sub": "mailto:admin@example.com"})
         vapid_info['auth'] = vapid_info['auth'][:-3] + "bad"
         yield client.send_notification(
@@ -852,7 +852,7 @@ def test_basic_delivery_with_invalid_signature(self):
     def test_basic_delivery_with_invalid_vapid_ckey(self):
         data = str(uuid.uuid4())
         client = yield self.quick_register()
-        vapid_info = _get_vapid()
+        vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url)
         vapid_info['crypto-key'] = "invalid|"
         yield client.send_notification(
             data=data,
@@ -1545,7 +1545,7 @@ def test_webpush_monthly_rotation_no_channels(self):
     @inlineCallbacks
     def test_with_key(self):
         private_key = ecdsa.SigningKey.generate(curve=ecdsa.NIST256p)
-        claims = {"aud": "http://localhost",
+        claims = {"aud": self.ep.conf.endpoint_url,
                   "exp": int(time.time()) + 86400,
                   "sub": "a@example.com"}
         vapid = _get_vapid(private_key, claims)

diff --git a/autopush/web/webpush.py b/autopush/web/webpush.py
@@ -72,8 +72,8 @@ def extract_subscription(self, d):
                 ckey_header=d["ckey_header"],
                 auth_header=d["auth_header"],
             )
-        except (VapidAuthException):
-            raise InvalidRequest("missing authorization header",
+        except (VapidAuthException) as ex:
+            raise InvalidRequest("missing authorization header: {}".format(ex),
                                  status_code=401, errno=109)
         except (InvalidTokenException, InvalidToken):
             raise InvalidRequest("invalid token", status_code=404, errno=102)
@@ -429,9 +429,7 @@ def validate_auth(self, d):
             raise InvalidRequest("Invalid bearer token: No Audience specified",
                                  status_code=401, errno=109,
                                  headers={"www-authenticate": PREF_SCHEME})
-        if jwt['aud'] != "{}://{}".format(
-                self.context["conf"].endpoint_scheme or "http",
-                self.context["conf"].hostname):
+        if jwt['aud'] != self.context["conf"].endpoint_url:
             raise InvalidRequest(
                 "Invalid bearer token: Invalid Audience Specified",
                 status_code=401, errno=109,